Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-34704
Publication date:
14/05/2024
era-compiler-solidity is the ZKsync compiler for Solidity. The problem occurred during instruction selection in the `DAGCombine` phase while visiting the XOR operation. The issue arises when attempting to fold the expression `!(x cc y)` into `(x !cc y)`. To perform this transformation, the second operand of XOR should be a constant representing the true value. However, it was incorrectly assumed that -1 represents the true value, when in fact, 1 is the correct representation, so this transformation for this case should be skipped. This vulnerability is fixed in 1.4.1.
Severity CVSS v4.0: Pending analysis
Last modification:
14/05/2024

CVE-2024-34706
Publication date:
14/05/2024
Valtimo is an open source business process and case management platform. When opening a form in Valtimo, the access token (JWT) of the user is exposed to `api.form.io` via the the `x-jwt-token` header. An attacker can retrieve personal information from this token, or use it to execute requests to the Valtimo REST API on behalf of the logged-in user. This issue is caused by a misconfiguration of the Form.io component.<br /> <br /> The following conditions have to be met in order to perform this attack: An attacker needs to have access to the network traffic on the `api.form.io` domain; the content of the `x-jwt-token` header is logged or otherwise available to the attacker; an attacker needs to have network access to the Valtimo API; and an attacker needs to act within the time-to-live of the access token. The default TTL in Keycloak is 5 minutes.<br /> <br /> Versions 10.8.4, 11.1.6 and 11.2.2 have been patched.
Severity CVSS v4.0: Pending analysis
Last modification:
14/05/2024

CVE-2024-34699
Publication date:
14/05/2024
GZ::CTF is a capture the flag platform. Prior to 0.20.1, unprivileged user can perform cross-site scripting attacks on other users by constructing malicious team names. This problem has been fixed in `v0.20.1`.
Severity CVSS v4.0: Pending analysis
Last modification:
14/05/2024

CVE-2024-34701
Publication date:
14/05/2024
CreateWiki is Miraheze&amp;#39;s MediaWiki extension for requesting &amp; creating wikis. It is possible for users to be considered as the requester of a specific wiki request if their local user ID on any wiki in a wiki farm matches the local ID of the requester at the wiki where the wiki request was made. This allows them to go to that request entry&amp;#39;s on Special:RequestWikiQueue on the wiki where their local user ID matches and take any actions that the wiki requester is allowed to take from there.<br /> <br /> Commit 02e0f298f8d35155c39aa74193cb7b867432c5b8 fixes the issue. Important note about the fix: This vulnerability has been fixed by disabling access to the REST API and special pages outside of the wiki configured as the "global wiki" in `$wgCreateWikiGlobalWiki` in a user&amp;#39;s MediaWiki settings.<br /> <br /> As a workaround, it is possible to disable the special pages outside of one&amp;#39;s own global wiki by doing something similar to `miraheze/mw-config` commit e5664995fbb8644f9a80b450b4326194f20f9ddc that is adapted to one&amp;#39;s own setup. As for the REST API, before the fix, there wasn&amp;#39;t any REST endpoint that allowed one to make writes. Regardless, it is possible to also disable it outside of the global wiki by using `$wgCreateWikiDisableRESTAPI` and `$wgConf` in the configuration for one&amp;#39;s own wiki farm..
Severity CVSS v4.0: Pending analysis
Last modification:
14/05/2024

CVE-2024-34697
Publication date:
14/05/2024
FreeScout is a free, self-hosted help desk and shared mailbox. A stored HTML Injection vulnerability has been identified in the Email Receival Module of the Freescout Application. The vulnerability allows attackers to inject malicious HTML content into emails sent to the application&amp;#39;s mailbox. This vulnerability arises from improper handling of HTML content within incoming emails, allowing attackers to embed malicious HTML code in the context of the application&amp;#39;s domain. Unauthenticated attackers can exploit this vulnerability to inject malicious HTML content into emails. This could lead to various attacks such as form hijacking, application defacement, or data exfiltration via CSS injection. Although unauthenticated attackers are limited to HTML injection, the consequences can still be severe. Version 1.8.139 implements strict input validation and sanitization mechanisms to ensure that any HTML content received via emails is properly sanitized to prevent malicious HTML injections.
Severity CVSS v4.0: Pending analysis
Last modification:
10/01/2025

CVE-2024-34698
Publication date:
14/05/2024
FreeScout is a free, self-hosted help desk and shared mailbox. Versions of FreeScout prior to 1.8.139 contain a Prototype Pollution vulnerability in the `/public/js/main.js` source file. The Prototype Pollution arises because the `getQueryParam` Function recursively merges an object containing user-controllable properties into an existing object (For URL Query Parameters Parsing), without first sanitizing the keys. This can allow an attacker to inject a property with a key `__proto__`, along with arbitrarily nested properties. The merge operation assigns the nested properties to the `params` object&amp;#39;s prototype instead of the target object itself. As a result, the attacker can pollute the prototype with properties containing harmful values, which are then inherited by user-defined objects and subsequently used by the application dangerously. The vulnerability lets an attacker control properties of objects that would otherwise be inaccessible. If the application subsequently handles an attacker-controlled property in an unsafe way, this can potentially be chained with other vulnerabilities like DOM-based XSS, Open Redirection, Cookie Manipulation, Link Manipulation, HTML Injection, etc. Version 1.8.139 contains a patch for the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
10/01/2025

CVE-2024-34695
Publication date:
14/05/2024
WOWS Karma is a reputation system for Wargaming&amp;#39;s World of Warships. A user is able to click multiple times on "create" on a post creation prompt before the modal closes, which triggers sending several post creation API requests at once. Due to timing, sending multiple posts simultaneously requests bypasses the cooldown validation, however are not refreshing a user&amp;#39;s metrics more than once, due to concurrent karma updates. This issue is fixed in 0.17.4.1.
Severity CVSS v4.0: Pending analysis
Last modification:
14/05/2024

CVE-2024-34559
Publication date:
14/05/2024
Insertion of Sensitive Information into Log File vulnerability in Ghost Foundation Ghost.This issue affects Ghost: from n/a through 1.4.0.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
14/05/2024

CVE-2024-34556
Publication date:
14/05/2024
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in UkrSolution Barcode Scanner with Inventory &amp; Order Manager.This issue affects Barcode Scanner with Inventory &amp; Order Manager: from n/a through 1.5.4.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
14/05/2024

CVE-2024-34557
Publication date:
14/05/2024
Cross-Site Request Forgery (CSRF) vulnerability in UkrSolution Barcode Scanner with Inventory &amp; Order Manager.This issue affects Barcode Scanner with Inventory &amp; Order Manager: from n/a through 1.5.4.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
14/05/2024

CVE-2024-34550
Publication date:
14/05/2024
Insertion of Sensitive Information into Log File vulnerability in AlexaCRM Dynamics 365 Integration.This issue affects Dynamics 365 Integration: from n/a through 1.3.17.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
14/05/2024

CVE-2024-34555
Publication date:
14/05/2024
Unrestricted Upload of File with Dangerous Type vulnerability in URBAN BASE Z-Downloads.This issue affects Z-Downloads: from n/a through 1.11.3.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
14/05/2024
Subscribe to Vulnerabilities